CVE-2022-31188

HIGH

CVAT <2.0.0 - SSRF

Title source: llm

Description

CVAT is an opensource interactive video and image annotation tool for computer vision. Versions prior to 2.0.0 were found to be subject to a Server-side request forgery (SSRF) vulnerability. Validation has been added to urls used in the affected code path in version 2.0.0. Users are advised to upgrade. There are no known workarounds for this issue.

Exploits (2)

exploitdb WORKING POC

by Emir Polat · textwebappspython

https://www.exploit-db.com/exploits/51030

View Code ZIP pw:eip

nomisec WORKING POC 5 stars

by emirpolatt · poc

https://github.com/emirpolatt/CVE-2022-31188

View Code ZIP pw:eip

References (3)

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/169814/CVAT-2.0-Server-Side-Request-Forgery.html

[Patch, Third Party Advisory] https://github.com/cvat-ai/cvat/commit/6fad1764efd922d99dbcda28c4ee72d071aa5a07

[Patch, Third Party Advisory] https://github.com/cvat-ai/cvat/security/advisories/GHSA-7vpj-j5xv-29pr

Scores

CVSS v3 8.6

EPSS 0.3573

EPSS Percentile 97.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Details

CWE

CWE-918

Status published

Products (2)

cvat/computer_vision_annotation_tool < 2.0.0

cvat/cvat < 2.0.0

Published Aug 01, 2022

Tracked Since Feb 18, 2026